If I have 20 routers that are part of the same MPLS L3 VPN and I need to let 10 routers ONLY know about some routes I have at a site that go over a Point to Point VPN, is there a way that I can redistribute these static routes into BGP and only have 10 routers know about them? I ask this because these static routes are subnets that overlap with some of the other 10 routers that DO NOT need to know about them, and if they do rather those sites going to each other for communication, they will come back to me for resources they do not need and traffic will be dropped and they will not be able to get what they really need to get to.
Do you have a diagram of how these sites are laid out? Are you using an ISP's mpls service or your own via p2p links? You *may* be able to do this from the source, but you may have to filter inbound on each router. Are the routes the same for the 10 sites or are they different?
*** Please rate all useful posts ***
So the challenge here is that I need the routers with 10.70.x.x subnets to be able to know about the networks across the tunnel, but at the same need subnets like 10.100.0.0/16 and 10.32.0.0/16 that already exist within the cloud to be able to communicate to each other without an issue. The issue becomes that when I redistribute my static routes into BGP the 10.70.x.x networks work, but all the other routers stop communicating the way they should because they think they need to go across the tunnel as well...So the only think I can think that needs to happen is the ISP needs to create a separate VRF for the site connected to the VPN tunnel and the networks that belong to 10.70.x.x so that when i inject the static routes into that VRF the other routers dont get that advertisement and wont come to me for communication.
I control the CE routers for only the 10.170.0.0/16, 10.70.20.0/26, and 10.70.60.0/23 networks. All other routers are ran by another company that we are breaking away from because of being sold off. So I have to make sure what I do will not break their network.
I might be misunderstanding the issue, but looks like traffic should be affected only for overlapping IP-subnets that are: 10.32.1.0/24, 10.100.52.0/24, 10.100.1.0/24, 10.42.0.0/20
Are they the same subnets you use as a part of 10.100.0.0/16. 10.42.0.0/16 ?
Why do you have overlapping subnets?
Is it possible to reassign addresses or apply NAT on your firewalls?
Overlapping subnets are because of a company merger. NAT will not work because of DNS. The aquiring company as configured secondary DNS zone into my network so that will not work with NAT.
as you said "I have the static routes configured on the Nexus 5ks and they are redistributing those statics into BGP. The Nexus 5k's are peering iBGP with R1." in our thread which disappered somehow from this discussion,
I still think you can "poison" particular prefixes advertised from R1 to the backbone via eBGP.
An outgoing route-map prepending AS numbers of the routers which should not see those prefies should work (unless they would be configured to accept their AS number by allowas-in command).
Do you have the config changes I suggested available?
If yes, could you paste them here for other discussion?
If not, I'll prepare them again but it will take a moment and as I'm busy currentlky, I'll paste them tomorrow.
OK, let's say you want to poison the prefixes behind your tunnel for the routers R2, R3 and R6.
My understanoid is they are advertised to the backbone from the router R1, correct?
And your router R1 is peering to the backbone via a BGP neighbor with x.x.x.x IP address.
Then you can configure on R1:
ip prefix-list behind-tunnel seq 5 permit 10.32.1.0/24
ip prefix-list behind-tunnel seq 10 permit 10.100.1.0/24
ip prefix-list behind-tunnel seq 15 permit 10.100.52.0/24
ip prefix-list behind-tunnel seq 20 permit 10.42.0.0/20
route-map tag-tunnel permit 10
match ip address prefix-list behind-tunnel
set as-path prepend 64702 64703 64706
route-map tag-tunnel permit 20
router bgp 64707
nei x.x.x.x route-map tag-tunnel out
This way routers R2, R3 and R6 will receive the prefixes matech by the route-map tag-tunnel permit 10 section with their own AS number within the AS_PATH and they will drop them.
While the other routers R4 and R5 will receive the prefixes wihout thier own AS number in the AS_PATH and accept them.
All other prefixes advertised to the backobone without any change (route-map tag-tunnel permit 20) will be accepted by all routers.
Am I clear now?
Would the route-map be set on the eBGP neighbor? Would I also have to set it for the iBGP neighbor (Nexus 5k)?
You would only need it on the EBGP peer. In fact IBGP does not modify the AS PATH so it would be doing nothing if applied to the IBGP devices.
Milan, nice solution to this problem.
So what does this look like to a router that is not suppose to use these routes? Do they even see them? Or is it a case where they see them but they arent the best paths to those networks?
look at the BGP Best Path Algorithm here:
It says in the
Why Routers Ignore Paths
"Paths from an external BGP (eBGP) neighbor if the local autonomous system (AS) appears in the AS_PATH
Such paths are denied upon ingress into the router and are not even installed in the BGP Routing Information Base (RIB)."
So the prefix is received but ignored.
If you would ned to permit such prefixes for some special reason, wou would have to configure a special command
neighbor allowas-in, see
Ok so I am going to try this in the next few days, But I wanted to ask one more question...what if I had 10 sites that needed to see certain routes? Would the same process follow, just prepend 10 AS numbers int he route-map?
well this didnt seem to work from what I can tell....some of the statics I redistributed into BGP wont even show in the BGP routing table...
When looking at the ip prefix list what is permit saying on an outbound route map?
Here's what I have on my CE router:
ip prefix-list TunneledNetworks seq 5 permit 10.1.0.0/16
ip prefix-list TunneledNetworks seq 10 permit 10.2.0.0/16
ip prefix-list TunneledNetworks seq 15 permit 10.4.44.0/24
ip prefix-list TunneledNetworks seq 16 permit 10.4.80.0/24
ip prefix-list TunneledNetworks seq 17 permit 10.4.88.0/23
ip prefix-list TunneledNetworks seq 18 deny 10.4.0.0/16
ip prefix-list TunneledNetworks seq 19 permit 10.12.0.0/16
ip prefix-list TunneledNetworks seq 25 permit 10.32.0.0/16
ip prefix-list TunneledNetworks seq 30 permit 10.20.0.0/16
ip prefix-list TunneledNetworks seq 35 permit 10.24.0.0/16
ip prefix-list TunneledNetworks seq 40 permit 10.28.0.0/16
ip prefix-list TunneledNetworks seq 45 permit 10.42.0.0/16
ip prefix-list TunneledNetworks seq 50 permit 10.16.0.0/16
ip prefix-list TunneledNetworks seq 55 permit 10.38.0.0/16
ip prefix-list TunneledNetworks seq 60 permit 10.44.0.0/16
ip prefix-list TunneledNetworks seq 65 permit 10.46.0.0/16
ip prefix-list TunneledNetworks seq 70 permit 10.50.0.0/16
ip prefix-list TunneledNetworks seq 75 permit 10.60.0.0/16
ip prefix-list TunneledNetworks seq 80 permit 10.100.0.0/16
route-map tag-tunnel permit 10
match ip address prefix-list TunneledNetworks
set as-path prepend 64705 64708 64701 64702 64704 64703 64714 64717 64712
route-map tag-tunnel permit 20
of course you need to get the prefixes to the BGP table first to be able to manipulate their AS_PATH.
Which of your static routes redistributed into BGP are not visible in the BGP routing table?
Are you talking about the iBGP neigbor's BGP table?
Ad "... what is permit saying on an outbound route map?")
The prefixes permitted by the prefix list are getting thier AS_PATH changed by the "set as-path prepend ..."command when advertised to the eBGP neighbor (to which the "route-map tag-tunnel out" was applied).
The prefixes not permitted by the prefix-list are advertised with their AS_PATH unchanged due to "route-map tag-tunnel permit 20" command.
Can you show an example of a prefix which is matched by the prefix list but still received on the router which was expected to drop it?
So I am redistributing ALL of the routes in the prefix list into BGP on the Nexus 5k which is iBGP peering with my CE.
I also have all of these same routes being blocked on my 5k from learning them via bgp.
I then go to my CE and apply what it pasted above...
well, this solution is suitable for a small number of sites only.
But generally yes, you could apply some more sophisticated route-map with more prefix-lists "poisoning" a group of prefixes for each site (i.e., AS number) which should reject it.